{
	"id": "09c43303-b24c-40f1-af7f-70bb585999ca",
	"created_at": "2026-04-06T00:10:51.444238Z",
	"updated_at": "2026-04-10T03:20:02.913729Z",
	"deleted_at": null,
	"sha1_hash": "0f6bedc77ec1cd79a67f5e519ae49a22a6233f77",
	"title": "Surveillance Malware Trends: Tracking Predator Pain and HawkEye",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 497299,
	"plain_text": "Surveillance Malware Trends: Tracking Predator Pain and\r\nHawkEye\r\nBy Rob Downs\r\nPublished: 2015-10-16 · Archived: 2026-04-05 16:19:21 UTC\r\nMalicious actors employ a range of tools to achieve their objectives. One of the most damaging activities an actor\r\npursues is the theft of authentication information, whether it applies to business or personal accounts. Unless\r\nspecifically mitigated, this theft often allows an unauthorized actor to masquerade as the victim, either achieving\r\nimmediate gains or creating a platform from which progressive attack campaigns may launch.\r\nThere are a number of threats that endanger the critical secrecy of credentials, including poor operational security\r\npractices, social engineering, man-in-the-middle attacks, password hash dumping and cracking, and surveillance\r\nmalware. In this post, Unit 42 examines various trends in a malware threat set within the surveillance malware\r\ncategory: Predator Pain and its latest derivative, HawkEye.\r\nThreat Background\r\nSurveillance malware covers a broad range of capabilities, including:\r\nCapture of keyboard and / or input device (e.g., mouse) activity, with window / process awareness\r\n(keylogging)\r\nTaking asset display screen shots or video (display capturing)\r\nAssuming control of cameras and / or microphones attached to an asset (live surveillance)\r\nInterception of network communications (sniffing)\r\nEach of these capabilities can be qualified by its scope (i.e., types of information collected) and method (ranging\r\nin techniques and sophistication). Additionally, some surveillance software includes its own exfiltration\r\nmechanism, while others may depend on external software to accomplish the transfer of captured information.\r\nBoth Predator Pain and HawkEye are considered keyloggers, but they also include additional features, such as\r\nweb browser and e-mail client credential dumping, display capture, and captured information exfiltration.\r\nHawkEye is openly sold on a commercial website, whereas Predator Pain is usually acquired through underground\r\nforums. Associated features have made this set of malware popular with malicious actors across a number of\r\nmotivations; however, the most prevalent motivation remains cyber crime, in which stolen information is directly\r\nexploited or sold for financial gain. (A list of additional reading links is found at the end of this blog post for\r\nanyone interested in learning more about this specific threat set.)\r\nTrending and Analysis: July 2015-September 2015\r\nThe following sections describe Predator Pain and HawkEye trending and analysis conducted by Unit 42 from\r\nJuly 2015 through September 2015. We leveraged the Palo Alto Networks AutoFocus service, under which this\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/\r\nPage 1 of 8\n\nthreat set is tagged as PredatorPain.\r\nTarget Selection\r\nAlmost all of the adversaries Unit 42 observed employing this malware threat set harvest publicly disclosed or\r\nleaked e-mail addresses to construct phishing campaign targeting lists. These lists are mostly indiscriminant, with\r\nmalicious actors seeking any opportunistic gains they can glean from “shotgun” style attack campaigns. The\r\nnatural exposure of businesses with publicly advertised e-mail addresses (e.g., sales@\u003cdomain\u003e or\r\ninfo@\u003cdomain\u003e) makes for easy targeting of what typically represents key organizational e-mail distributions. In\r\nother words, these distributions normally reach a number of staff at the target organization who are motivated by\r\ntheir importance to business, increasing the likelihood of them inadvertently executing malicious code on their\r\nsystems.\r\nThreat Volume\r\nFigure 1 depicts July to September 2015 sessions (individual occurrences) for this threat set.\r\nFigure 1: Predator Pain / HawkEye Sessions, Jul - Sep 2015\r\nObserved sessions revealed an interesting pattern in distribution volume ramping up on Sunday for peaks over\r\nMonday through Wednesday, with significant volume dropping from Thursday onward. We believe this\r\ncorresponds with focused business targeting early in the workweek, per the previously noted targeting process\r\nemployed by most cyber crime actors.\r\nDelivery\r\nFigure 2 shows the delivery methods observed for the Predator Pain and HawkEye threat set over the period of\r\ninterest, with e-mail by far being the preferred delivery method for adversaries.\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/\r\nPage 2 of 8\n\nFigure 2: Predator Pain / HawkEye delivery methods, Jul - Sep 2015\r\nExploring respective phishing attacks further revealed the following lure themes:\r\nNotification or issues with product order or shipping\r\nNotification or issues with payment, purchase order, invoice, or billing\r\nProduct or service quotation request\r\nConfusing, random, and/or purportedly personal topics\r\nTable 1 contains some examples of more common e-mail phishing attack subject and attached filename pairings:\r\nEmail Subject Email Attachment Filename\r\nRe: Purchase Order PO #5479423.exe\r\nM.V. Chuetsu Spirit V.62A - SI / agency appointment / PDI CHUETSU DREAM V.26A SI HK.scr\r\nDHL AWB# 34 5673 0015 / shipment payment.exe\r\nNew Order ORDER.exe\r\nQuotation. purchase order.exe\r\nTable 1: Lure theming examples for e-mail attacks, July - September 2015\r\nRespective malware delivered via malicious e-mail mainly consisted of Microsoft Windows Portable Executable\r\n(PE) 32-bit and 64-bit binaries. Microsoft Word or RTF documents constituted the remainder of malicious files.\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/\r\nPage 3 of 8\n\nAttempted downloads of this threat from web and FTP sites were also observed; however, these represented\r\ndrastically lower occurrences (session counts).\r\nObserved Targeting\r\nWith these distribution methods in mind, Figure 3 shows an AutoFocus visualization for the 80 countries Unit 42\r\nobserved as targeted by the Predator Pain and Hawkeye threat set during the noted time period.\r\nFigure 3: AutoFocus view of Predator Pain / HawkEye targeted countries, Jul - Sep 2015\r\nNot surprisingly, the top-ten list of most highly targeted countries includes 7 of the 23 wealthiest in the world,\r\nbased on GDP per capita:\r\nUnited States\r\nAustralia\r\nCanada\r\nThailand\r\nTaiwan ROC\r\nKuwait\r\nJapan\r\nSpain\r\nItaly\r\nSweden\r\nThe top ten targeted industries accounted for 82% of sessions:\r\nHigh Tech\r\nHigher Education\r\nManufacturing\r\nProfessional and Legal Services\r\nTransportation and Logistics\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/\r\nPage 4 of 8\n\nWholesale and Retail\r\nConstruction\r\nMedia and Entertainment\r\nTelecommunications\r\nGovernment\r\nWe suggest three reasons based on this combination of observed countries and industries targeted:\r\nInnovative organizations are prime targets for a number of adversary motivations due to the capabilities\r\nand intellectual capital they aggregate.\r\nService oriented businesses, striving to develop customer relationships are more likely to fall victim to\r\nphishing attacks due to both organizational culture and incentives for client and customer engagement.\r\nNatural target saturation occurs within countries with established or thriving infrastructure, enabling\r\nmalicious actors to reach a broader range of targets remotely through technology.\r\nPrevalent Malware Capabilities\r\nThe Predator Pain and HawkEye set of malware is feature rich, compared to most other keyloggers. The following\r\nare the capabilities Unit 42 observed as most often enabled for this threat set during the focal time period (ordered\r\nby prevalence):\r\nE-mail client credential dump\r\nWeb browser credential dump\r\nCollection of system configuration information\r\nLogging of web browser activity\r\nLogging of e-mail activity\r\nScreenshot grabbing\r\nExfiltration Method Break-Out\r\nThis threat set includes three main methods of exfiltration: E-mail, PHP-based Web Panel, and FTP. Figure 4\r\nshows the HawkEye keylogger’s settings page, where the method employed by an instance can be specified.\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/\r\nPage 5 of 8\n\nFigure 4: HawkEye keylogger settings screen\r\nThe Predator Pain and HawkEye configurations analyzed by Unit 42 over the focal time period revealed the\r\nfollowing break-out for exfiltration method, with e-mail constituting the preferred method across a number of\r\nmalicious actors:\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/\r\nPage 6 of 8\n\nFigure 5: Predator Pain / HawkEye exfiltration method break-out, Jul – Sep 2015\r\nConclusion\r\nPrevention is the best strategy when it comes to the threat posed by keyloggers, such as the Predator Pain and\r\nHawkEye set. System hardening, integrity assurance, software version and patch management, and user awareness\r\nare just the first steps towards threat mitigation.\r\nRecommendations to protection against this class of threat include:\r\nEmploy multi-factor authentication: Knowledge-based authentication relies on the secrecy of\r\ninformation. Including elements of what you have (i.e., hardware token) or what you are (i.e., biometrics)\r\ncan reduce the value of respective stolen credentials for an adversary if that information only satisfies one\r\nlevel in the authentication process.\r\nLimit the impact of stolen credential information: Don’t share credentials across accounts and change\r\nthose credentials periodically. Adversaries commonly engage in activities such as credential stuffing in an\r\nattempt to maximize benefits of stolen credentials.\r\nMaximize network control and visibility: The latest Verizon DBIR included the finding that in over 25%\r\nof breaches, the organization was notified of the breach through a third party. Inbound, outbound, and\r\ninternal network traffic needs to be controlled and monitored. This is also useful for disrupting malware C2\r\nand exfiltration channels.\r\nIntegrate anti-malware automated dynamic analysis (e.g., sandboxing): Identify previously unknown\r\nthreats before they become much larger problems on the network. Given the anti-detection tools at the\r\ndisposal of adversaries, this is a modern necessity.\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/\r\nPage 7 of 8\n\nImplement network segmentation: Avoid flat networks, where once an adversary is in they have\r\nunrestricted access to internal resources. Network segmentation is a best practice for exposing only enough\r\ninformation as is required for specific organizational processes, moving toward a “zero trust” model. In this\r\ncontext, it is about further limiting the access of an adversary should they successful compromise\r\ncredentials.\r\nSource: https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/"
	],
	"report_names": [
		"surveillance-malware-trends-tracking-predator-pain-and-hawkeye"
	],
	"threat_actors": [],
	"ts_created_at": 1775434251,
	"ts_updated_at": 1775791202,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0f6bedc77ec1cd79a67f5e519ae49a22a6233f77.pdf",
		"text": "https://archive.orkl.eu/0f6bedc77ec1cd79a67f5e519ae49a22a6233f77.txt",
		"img": "https://archive.orkl.eu/0f6bedc77ec1cd79a67f5e519ae49a22a6233f77.jpg"
	}
}